Front desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn and Crowne Plaza brands, were infected with malware that stole customer debit and credit card data between September 29, 2016 and December 29, 2016, the company said.
InterContinental originally said only a dozen properties were affected, but has now expanded the list.
The initial breach was reported in December by the security news site KrebsOnSecurity.
The hotel chain has not published a full list of the properties that were affected but instead offered a state-by-state lookup page. U.S. shares (IHG) of the U.K. company were down 0.1%.
Of the company's brands, only Holiday Inn, Crown Plaza, Hotel indigo, Candlewood Suites and Staybridge Suites were affected, it said.
The hotels so far identified are all in the United States and Puerto Rico, but the company is still investigating other properties in the Americas and will update its look-up tool when the investigation is complete, said Neil Hirsch, InterContinental Hotels communications director for the Americas.
Approximately 1,200 franchise hotel locations in the Americas were affected, he said. The company has a network of more than 5,000 hotels in over 100 countries so that could mean more than one-fifth of its hotels were affected.
The malware stole information read from the magnetic stripe of a payment card as it traveled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code. The company doesn’t believe other guest information was affected, it said in its statement.
The company suggests that anyone who stayed at one of its properties during the time period the malware was present review their payment card statement for any unauthorized activity and report the charges to the credit card issuer.
Hotels are especially at risk for point-of-sale (cash register) breaches because payment card data is used throughout each hotel location and most have multiple terminals, said John Christly, chief information security officer for security company Netsurion.
“Plus card info is shared with the hotel before the guest even arrives through the booking process. All of this gives cybercriminals multiple opportunities and points of entry for the hacks,” he said.